c4-model
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes
npx likec4 validatein the shell to verify the syntax of the generated LikeC4 model files. This is a standard functional requirement for the skill's stated purpose. - [EXTERNAL_DOWNLOADS]: Through the use of
npx, the skill may download thelikec4package from the official npm registry if it is not already available in the execution environment. This is a reference to a well-known technology tool. - [PROMPT_INJECTION]: The skill processes external architectural documentation, such as discovery briefs and existing model files, to generate diagrams. This ingestion of untrusted local data represents an indirect prompt injection surface. However, the risk is minimized by the skill's use of strict 'locked' templates, a mandatory internal linting step ('CANONICAL-C4 LINT'), and clear instructions to avoid hallucination.
Audit Metadata